3D printers are just as vulnerable to misconfiguration as other IoT devices
We live in times where printing means more than the generally understood activity of bringing digital documents into the physical world. Automatically building physical objects from raw material using a three-dimensional plan is also called 3D printing, and the machines doing it can connect to the internet.
If secured improperly, hackers can access them remotely in an attempt to sabotage operations or steal 3D plans for objects that may be the work of research and development departments. Another type of damage resulting from unauthorized control is remote printing of objects, which could make it overheat and catch fire.
Freelance cybersecurity consultant and senior handler for the SANS Internet Storm Center, Xavier Mertens, searched for online 3D printers that could be accessed without authentication and discovered over 3,700 of them. They all shared the same OctoPrint interface that should be protected with a strong, unique password.
OctoPrint is the web-based control panel for some 3D printers, and it allows feature control and monitoring of the operations and the state of the device. It shows a temperature graph that can record heat up to 572F (300 degrees Celsius). It also gives access to files that contain the details for building 3D parts.
These printers can interpret instructions in G-code, a numerical control programming language used in computer-aided manufacturing. The instructions are in plain text files with no protection, so anyone can open and alter them with a text editor.
Mertens says the OctoPrint interface includes a webcam monitoring feature that could impact user privacy. He says that, although the viewing angle focuses on the printing job, other details could be visible to an attacker, who could use them for leverage in a subsequent operation.
In the eyes of a hacker, 3D printers are no different than other connected devices they can access for harm or for financial gain. The difference is that controlling them has a direct, physical impact. Hackers could tamper with such a printer in a way that things are printed with an offset ever so slightly, but sufficient to not do its job risk-free.
Securing access to a 3D printer is not more difficult than with other connected devices. The first step is always to change the default credentials from the manufacturer with a custom set that includes as many types of characters as supported by the login process. With OctoPrint, the steps are available in the documentation.
Image credit: lppicture3D 3D printing authentication OctoPrint printer